home *** CD-ROM | disk | FTP | other *** search
- Microsoft's Security Advice To Users:
- Don't Take Candy From Strangers
- (2/6/97; 5:44 p.m. EST)
- By Clare Haney, TechWire
-
- REDMOND, Washington -- The activities of a group of German
- hackers in Germany a week ago has forced Microsoft to further
- accelerate its attempts to publicize the inherent dangers lurking on the
- Internet.
-
- Last Wednesday, the Chaos Computer Club, a well-established hacker
- organization headquartered in Hamburg, demonstrated on German
- television how its members could theoretically electronically transfer
- funds from an individual's bank account without using a personal
- identification number or a transaction number.
-
- The demo centered around the hackers being able to gain access to the
- transaction list contained within Intuit's personal accounting software
- Quicken via an ActiveX control, while using Microsoft's Explorer Web
- browser.
-
- Once a user has accessed the Web site containing the ActiveX control
- and the applet has recognized that Quicken is on the victim's machine,
- the control gives the accounting software a transfer order which is then
- saved along with other Quicken pending transfer orders. The damage is
- done the next time the user sends off their pending transfer orders to
- the bank.
-
- All the orders would then be executed, including the ActiveX one,
- meaning that money could potentially be spirited out of the user's
- account, without their knowledge, and into that of the hackers.
-
- Cornelius Willis, group product manager for Internet platforms at
- Microsoft, stressed the theoretical nature of the TV demonstration,
- saying "We have yet to determine if there has been a security breach.
- This is the usual thing people do - carry out a demo and get a lot of
- publicity. But we do take this kind of thing very seriously."
-
- He revealed that Microsoft has already made contact with CCC and is
- "encouraging them to co-operate," although the hackers have yet to
- release the ActiveX control to the company so that they can check it
- out. The Club is promising to publicly release the ActiveX control on
- the Web on February 20.
-
- Willis went on to emphasize the general nature of the problem.
-
- "Clearly, ActiveX will get a bad rap here, but that's a mistake, this
- involves all executables," Wills said. "We are concerned that users
- understand that all executable content on the Internet is potentially
- dangerous. No user should download applets from unknown sources.
- The basic message here is: don't take candy from strangers. The
- problems are becoming a bit better understood, but we've really got to
- educate users."
-
- He added that Microsoft expects to highlight this issue with a program
- to be launched within the next few weeks, that among other things will
- involve bringing a chat site on Internet security already hosted on the
- company's Web site more to the fore.
-
- He pointed to the fact that the current version of Internet Explorer 3.0
- is the only Web browser to include code signing, a feature Microsoft
- calls Authenticode, allowing users to identify "with a high degree of
- certainty" the author of a Java applet, an ActiveX control or a plug-in
- and to determine that the component in question hasn't been tampered
- with in transit to the user's desktop.
-
- Willis also recommends that, in order to ramp up their Internet security
- protection, corporations should establish internal testing organizations
- to give such components a digital certificate certifying that they've been
- shown to be non-malicious to potential end users.
-
- For Intuit, Mark Goines, the company's international vice president,
- asserts that its Quicken software already contains a stringent review
- process for any transaction comprising authorization, review,
- verification, review and reverification stages.
-
- Goines said that the TV program provoked very little reaction, but that
- a few worried Intuit customers did contact the company's German
- office. Like Microsoft's Willis, he stresses the theoretical nature of the
- hackers' demonstration and adds that Intuit German staff want to
- investigate some of the claims made by CCC in the program.